Hint to web crawlers that the example links shown in action=help output
should not be crawled for indexing by adding a rel=nofollow attribute to
their anchor tags.
Change-Id: I0c85bb3008e2f9238a5174741e293ded2536b1d3
This covers all occurrences of /onfig->.*get( '/ in includes/.
Undoubtedly there are still plenty more to go.
Change-Id: I33196c4153437778496f40436bcde399638ac361
This means any sitewide scripts, styles, gadgets, and user scripts
do not load here. Comparable to pages such as Special:Preferences,
and other pages related to account security.
Bug: T132720
Change-Id: I94491ae5003dfc13715137b5a4ba2357f537b04f
Make phan stricter about conditional variable declaration
Remaining false positive issues are suppressed.
The suppression and the setting change can only be done together
Bug: T259172
Change-Id: I1f200ac37df7448453688bf464a8250c97313e5d
Make phan stricter about array keys
Remaining false positive issues are suppressed.
The suppression and the setting change can only be done together
Bug: T304887
Depends-On: I3105a5fd4826f8667b5232834defc5ec93be32a1
Depends-On: Ie9610a6e83731468311edb3ed17f80fc509de385
Change-Id: I701f12ab94478c3b8e7fd82110ade74a8e6b04ef
* Use lower case without a full stop
* Use standard muted colour for secondary information. The
red warning colour is still used on the param page itself.
Change-Id: I734a2f31f9139b8415bd61dcbe0561232e2632ee
This reverts commit 2bcb3fe567.
Reason for revert: this is a good change,
just needed more work to not break CI
Change-Id: I23768bee242e3cf81b1493a740cf070e7ad1e224
This does not move the actual limit report data into
ParserOptions yet, that should be done separately
given that it will require serialization changes.
Let's get this change settled first before messing
with serialization.
This unifies canonical and non-canonical ParserOptions,
so ParserCache can now be used with both. It is hard
to say how this will affect the ParserCache capacity,
so we should monitor it after releasing this.
Change-Id: I154c0a77a5b0287b5572614d56339fb57ac56c33
The table of content styles will now be loaded on all pages rather than
just pages which have it. This will lead to less stylesheet fragmentation
across page views.
Skins in WMF production were updated long ago to automatically opt
into new features so will automatically gain this module:
I98b7e49b8a3bcba31284385d2f45e0164df2fbb4
I50afd035360ff2eccd5a934a02a218d093f9583d
I5b3920ae6e98111582b93e60a2b9950c478bff7d
If9283742a83ecfbe8c4246e3624022a56be8f161
If9ae25c41b91a8b47c154f0fd98984eac526654f
Skins that are using ResourceLoaderSkinModule with opt-in approach or
the existing mediawiki.skinning.interface, will automatically get these
new styles. Skins that are use neither of these mechanisms will need to
be modified if they wish to retain the collapsing functionality of the
table of contents. As of now, I am not aware of any such skins.
Note in a follow-up, the mediawiki.toc.styles module will be marked as
deprecated in 1.35. This is done separately to allow WMF caches
some time to roll over to the new code first.
Bug: T252774
Change-Id: Ie28b7e732664eb332be795d7e33cd9a227c21370
Migrate all callers of Hooks::run() to use the new
HookContainer/HookRunner system.
General principles:
* Use DI if it is already used. We're not changing the way state is
managed in this patch.
* HookContainer is always injected, not HookRunner. HookContainer
is a service, it's a more generic interface, it is the only
thing that provides isRegistered() which is needed in some cases,
and a HookRunner can be efficiently constructed from it
(confirmed by benchmark). Because HookContainer is needed
for object construction, it is also needed by all factories.
* "Ask your friendly local base class". Big hierarchies like
SpecialPage and ApiBase have getHookContainer() and getHookRunner()
methods in the base class, and classes that extend that base class
are not expected to know or care where the base class gets its
HookContainer from.
* ProtectedHookAccessorTrait provides protected getHookContainer() and
getHookRunner() methods, getting them from the global service
container. The point of this is to ease migration to DI by ensuring
that call sites ask their local friendly base class rather than
getting a HookRunner from the service container directly.
* Private $this->hookRunner. In some smaller classes where accessor
methods did not seem warranted, there is a private HookRunner property
which is accessed directly. Very rarely (two cases), there is a
protected property, for consistency with code that conventionally
assumes protected=private, but in cases where the class might actually
be overridden, a protected accessor is preferred over a protected
property.
* The last resort: Hooks::runner(). Mostly for static, file-scope and
global code. In a few cases it was used for objects with broken
construction schemes, out of horror or laziness.
Constructors with new required arguments:
* AuthManager
* BadFileLookup
* BlockManager
* ClassicInterwikiLookup
* ContentHandlerFactory
* ContentSecurityPolicy
* DefaultOptionsManager
* DerivedPageDataUpdater
* FullSearchResultWidget
* HtmlCacheUpdater
* LanguageFactory
* LanguageNameUtils
* LinkRenderer
* LinkRendererFactory
* LocalisationCache
* MagicWordFactory
* MessageCache
* NamespaceInfo
* PageEditStash
* PageHandlerFactory
* PageUpdater
* ParserFactory
* PermissionManager
* RevisionStore
* RevisionStoreFactory
* SearchEngineConfig
* SearchEngineFactory
* SearchFormWidget
* SearchNearMatcher
* SessionBackend
* SpecialPageFactory
* UserNameUtils
* UserOptionsManager
* WatchedItemQueryService
* WatchedItemStore
Constructors with new optional arguments:
* DefaultPreferencesFactory
* Language
* LinkHolderArray
* MovePage
* Parser
* ParserCache
* PasswordReset
* Router
setHookContainer() now required after construction:
* AuthenticationProvider
* ResourceLoaderModule
* SearchEngine
Change-Id: Id442b0dbe43aba84bd5cf801d86dedc768b082c7
Notably:
* In ApiManageTags, I used a switch instead of a dynamic function name,
so that the call graph will be correct.
* In ApiImageRotate, checkTitleUserPermissions() has always returned
void, this was an error introduced in 4e6810e4a2
Change-Id: Iea22616b8e7e2e0cc804619a54f8690898b2cb82
This brings significant modularization to the Action API's parameter
validation, and allows the Action API and MW REST API to share
validation code.
Note there are several changes in this patch that may affect other code;
see the entries in RELEASE-NOTES-1.35 for details.
Bug: T142080
Bug: T232672
Bug: T21195
Bug: T34675
Bug: T154774
Change-Id: I1462edc1701278760fa695308007006868b249fc
Depends-On: I10011be060fe6d27c7527312ad41218786b3f40d
This mostly mirrors the existing handling for deprecated modules. In
lists, internal modules are ordered after deprecated ones, with
deprecated internal modules at the very end.
action=paraminfo gains an array of internalvalues analogous to
deprecatedvalues. Help messages for internal modules are prefixed with
the text “Internal”. The help page and API sandbox styles color internal
values in red, just like deprecated values (and matching the existing
style for the “this module is internal or unstable” warning in the help
page), but do not add a strikethrough.
Bug: T185508
Change-Id: I5dfc3bacbc070d74f467eb1a4042cab159aa28ec
HHVM sniffs the content type and so probably correctly guesses
application/x-www-form-urlencoded and fills in $_POST, while PHP 7 does
not sniff and so doesn't fill in $_POST.
Since there are clients that have been expecting the HHVM behavior, give
a warning both to let them know and so we can have some idea of how many
such clients there are.
This also adds any warnings and errors as an HTML comment at the top of
the auto-generated help page, to hopefully make it easier for people
getting that unexpectedly to find out why.
Bug: T230735
Change-Id: I017b7afe808844d74d376f6436894a5a2f525a9f
These are both fairly small modules used in related low-traffic
scenarios. The cost of registering both globally on all page views
as a top-level entry point does not seem worth the marginal gain
of loading only one of these two in the contexts where they are
needed.
Change-Id: I42458ebec3f8d6e14e52e44d62fb914fcbeda5db
There's probably not much benefit in search engines indexing the API
auto-generated help or various random "format=jsonfm" outputs.
On Wikimedia wikis we already have a robots.txt entry denying indexing
of everything under /w/, which includes api.php.
Bug: T207818
Change-Id: I196d401eeb5fcf49844265df41ad3cce83ffdcdf
The module 'mediawiki.toc' is not needed anymore because it is
superseded by the style module 'mediawiki.toc.styles'.
In the skin the module 'mediawiki.toc' may be used by self-build TOCs
from the content.
Change-Id: I53cd6f222c77a1902b89913fe45c92c105dec022
Changes in the behavior:
* The toggle button generate no FOUC on loading.
* On keyboard navigation the toggle key is the space key and not the
return key.
* Animation on hide and show is missing. Maybe a new animation with CSS
can added.
* The state of the button is not saved in a cookie.
* Self-build TOCs can not get hidden.
Browser support:
* The new implementation does not need JavaScript and therefor it works
on browser with disabled JavaScript and on Grade C browser.
* The new implementation requires the CSS pseudo-class selector
:checked. Therefor IE8 and lower are not supported.
Risks:
* The new implementation needs additional HTML elements. These elements
also get cached and crawled. The elements have no content so they get
hopefully ignored by crawler.
* The new CSS code imitates some styles (link, focus). This must kept
up to date.
* Multiple TOCs on one page would generate the same id attribute.
This can avoided by appending a counter or better and easier a random
string to the id attribute.
Bug: T195053
Change-Id: I82db33d656b3795d7134a91d20ed9d93a3471086
Find: /isset\(\s*([^()]+?)\s*\)\s*\?\s*\1\s*:\s*/
Replace with: '\1 ?? '
(Everywhere except includes/PHPVersionCheck.php)
(Then, manually fix some line length and indentation issues)
Then manually reviewed the replacements for cases where confusing
operator precedence would result in incorrect results
(fixing those in I478db046a1cc162c6767003ce45c9b56270f3372).
Change-Id: I33b421c8cb11cdd4ce896488c9ff5313f03a38cf
With MCR coming up, ApiEditPage is going to need to be able to take
"text" and "contentmodel" parameters for each slot-role, and enumerating
such parameters for every possible slot would probably get rather
confusing as to what is required when, or at least long-winded in
repeating the exact same thing for every possible role.
So let's abstract it: we'll have an "editroles" parameter to specify which
slots are being edited, and ApiEditPage will just declare that
"text-{role}" and "contentmodel-{role}" parameters should exist for each
value of "editroles" in the submission.
Note this patch doesn't introduce anything that uses templated
parameters, just the functionality itself. For testing purposes you
might cherry pick I2d658e9a.
Bug: T174032
Change-Id: Ia19a1617b73067bfb1f0f16ccc57d471778b7361
It is the job of git and svn to provide this information/metadata.
The form was different, some with short, some with long month name
some with leading zero at the day, some without.
The year is also present in the Copyright clause
Change-Id: If006907b82b9e45f13cfa2e45d41107a95570e1a
Adds two new ApiBase::getAllowedParams() keys:
PARAM_MAX_BYTES and PARAM_MAX_CHARS, to set a length
limit for a (string-like) parameter.
This makes it easy to document and enforce database
field length limits (where relying on the database
would either result in unfriendly error messages or
silent truncation, depending on DB settings) and
also exposes them in structured form so API clients
can verify the length without doing roundtrips.
Change-Id: I2e784972d7e11cad79fdef887bbcde297dbd9ce0
If someone is both dumb enough to blindly save an API response and to
then execute the resulting file, this can be used to attack their
computer.
We can mitigate this by disallowing PATH_INFO in api.php URLs (because
we don't make any use of them anyway) and by setting a sensible filename
using a Content-Disposition header so the browser won't go guessing at
the filename based on what is in the URL.
Issue reported by: Abdullah Hussam
Bug: T128209
Change-Id: I8526f5cc506c551edb6138d68450b6acea065e93
Adds two new parameter settings, ApiBase::PARAM_ISMULTI_LIMIT1
and PARAM_ISMULTI_LIMIT2 for configuring the maximum number of values
that can be contained in a multivalue field (for unprivileged and
apihighlimits users, respectively). When present, these replace the
default 50/500.
Change-Id: Ic1b1bcc7ff556b7762c8d2375d910cc4fcb43087
Undo traces of a practice we carried over from past projects and
existing examples that is neither universal nor actively encouraged in
the MediaWiki codebase.
Bug: T139301
Change-Id: I5c9c89b72a45a44aa4264a5e57b003c1a86cdf6e
Co-Authored-By: Brad Jorsch <bjorsch@wikimedia.org>
The module's summary will be used as the description of the value.
Since these are often very long lists, this also changes ApiSandbox to
collapse <dl> lists in parameter descriptions by default.
Bug: T123930
Change-Id: I205b68a52a94cae4c1cdf7ec9fd3e8a04d565919
This has a number of implications:
* A deprecation warning is automatically generated if the value is used.
* action=paraminfo can list it in a machine-readable manner.
* It is automatically flagged in the help when message-per-value mode is
used.
* In values lists in the help, it's specially marked (currently
strike-through).
* ApiSandbox will mark it in the widgets (currently strike-through).
Deprecation of submodules is not automatically detected here, that's
left for a later patch.
Bug: T123931
Change-Id: Idad6377063e457f9352a99df5c7cc15b1563579e
